[Fedora-commons-users] problem validating xacml test policy
0 views
Skip to first unread message
Jeffery A. Triggs
Jan 29, 2008, 4:56:02 PM1/29/08
to fedora-commons-users
We're trying to test one of the sample xacml policies in Fedora 2.2.1
and cannot get the test file to validate. Does anyone see something
obvious that we might have missed?
Thanks,
Jeffery
Error:
validate-policy.sh rutgers-lib-10833.xml
ERROR [main] (ValidatePolicy.java:123) - couldn't parse repo-wide policy
org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid
content was found starting with element 'ActionAttributeDesignator'.
One of '{"urn:oasis:names:tc:xacml:1.0:policy":AttributeValue}' is
expected.
at
org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException
(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown
Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError
(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError
(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator
$XSIErrorReporter.reportError(Unknown Source)
at
org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError
(Unknown Source)
at
org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement
(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.emptyElement
(Unknown Source)
at
org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement
(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl
$FragmentContentDispatcher.dispatch(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument
(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse
(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse
(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown
Source)
at javax.xml.parsers.DocumentBuilder.parse
(DocumentBuilder.java:161)
at fedora.server.security.ValidatePolicy.main
(ValidatePolicy.java:120)
Validation failed
The code section in question:
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-
equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">DC</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
and cannot get the test file to validate. Does anyone see something
obvious that we might have missed?
Thanks,
Jeffery
Error:
validate-policy.sh rutgers-lib-10833.xml
ERROR [main] (ValidatePolicy.java:123) - couldn't parse repo-wide policy
org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid
content was found starting with element 'ActionAttributeDesignator'.
One of '{"urn:oasis:names:tc:xacml:1.0:policy":AttributeValue}' is
expected.
at
org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException
(Unknown Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown
Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError
(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError
(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator
$XSIErrorReporter.reportError(Unknown Source)
at
org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError
(Unknown Source)
at
org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement
(Unknown Source)
at org.apache.xerces.impl.xs.XMLSchemaValidator.emptyElement
(Unknown Source)
at
org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement
(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl
$FragmentContentDispatcher.dispatch(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument
(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse
(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse
(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown
Source)
at javax.xml.parsers.DocumentBuilder.parse
(DocumentBuilder.java:161)
at fedora.server.security.ValidatePolicy.main
(ValidatePolicy.java:120)
Validation failed
The code section in question:
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-
equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">DC</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
Ford, Kevin
Jan 30, 2008, 11:48:43 AM1/30/08
to fedora-commons-users
Dear Jeffrey,
It appears the error is in the "<Actions>" block; you sent along the "<Resources>" block of the XACML policy. Which sample XACML policy are you trying? Did the "<Actions>" block contain a proper "AttributeValue" element?
Warmly,
Kevin
---------------------------
Kevin Ford
Digital Services Specialist
Columbia College Chicago Library
624 S. Michigan Avenue
Chicago, IL 60605
Tel: 312 344 8568
Email: kf...@colum.edu
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Fedora-commons-users mailing list
Fedora-com...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
It appears the error is in the "<Actions>" block; you sent along the "<Resources>" block of the XACML policy. Which sample XACML policy are you trying? Did the "<Actions>" block contain a proper "AttributeValue" element?
Warmly,
Kevin
---------------------------
Kevin Ford
Digital Services Specialist
Columbia College Chicago Library
624 S. Michigan Avenue
Chicago, IL 60605
Tel: 312 344 8568
Email: kf...@colum.edu
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Fedora-commons-users mailing list
Fedora-com...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
Jeffery A. Triggs
Jan 30, 2008, 11:56:03 AM1/30/08
to Ford, Kevin, fedora-commons-users
Hi Kevin,
This was the sample file we started with:
http://www.fedora.info/download/2.1b/userdocs/server/security/xacml-
policies/examples/example-repository-policies/apia-tighten-defaults/
apia-restrict-datastreams/deny-apia-datastream-DC-to-all-users.xml
Someone has suggested that our version had a missing <Target>
element, but even with that put back in, we are still getting errors.
Thanks for any help,
Jeffery
> ----------------------------------------------------------------------
This was the sample file we started with:
http://www.fedora.info/download/2.1b/userdocs/server/security/xacml-
policies/examples/example-repository-policies/apia-tighten-defaults/
apia-restrict-datastreams/deny-apia-datastream-DC-to-all-users.xml
Someone has suggested that our version had a missing <Target>
element, but even with that put back in, we are still getting errors.
Thanks for any help,
Jeffery
Ford, Kevin
Jan 30, 2008, 12:12:16 PM1/30/08
to Jeffery A. Triggs, fedora-commons-users
Dear Jeffrey,
Indeed, that policy fails. I tried the same policy, but this time from the 2.2.1 documentation:
http://www.fedora.info/download/2.2.1/userdocs/server/security/xacml-policies/examples/example-repository-policies/apia-tighten-defaults/apia-restrict-datastreams/deny-apia-datastream-DC-to-all-users.xml
The 2.2.1 XACML policy validates successfully.
For what it is worth, I did get the 2.1b policy to validate, but I had to place the "AttributeValue" elements before the AttributeDesignator element in both the ActionMatch block and ResourceMatch block. As far as I can tell, that is the only distinction between the two policies.
All the best,
Kevin
Indeed, that policy fails. I tried the same policy, but this time from the 2.2.1 documentation:
http://www.fedora.info/download/2.2.1/userdocs/server/security/xacml-policies/examples/example-repository-policies/apia-tighten-defaults/apia-restrict-datastreams/deny-apia-datastream-DC-to-all-users.xml
The 2.2.1 XACML policy validates successfully.
For what it is worth, I did get the 2.1b policy to validate, but I had to place the "AttributeValue" elements before the AttributeDesignator element in both the ActionMatch block and ResourceMatch block. As far as I can tell, that is the only distinction between the two policies.
All the best,
Kevin
Jeffery A. Triggs
Jan 30, 2008, 12:39:04 PM1/30/08
to Ford, Kevin, fedora-commons-users
Hi Kevin,
I think the 2.1b we're using did require the AttributeValue element to appear before the AttributeDesignator. In any event, we were able to validate our policies - thanks very much for you help! - we still can't get them to function however. Is there any site where these sample policies are demoed in action that we could visit?
Jeffery
Ford, Kevin
Jan 30, 2008, 1:34:08 PM1/30/08
to Jeffery A. Triggs, fedora-commons-users
Dear Jeffery,
I don’t know of a website that hosts fedora with the demo XACML policies in effect. That being said, on my workstation, I dropped the demo policy into the policies directory and then reloaded the policies (there is a “fedora-reload-policies” executable in FEDORA_HOME/server/bin ; you could also restart tomcat). When I visited
http://localhost:8080/fedora/get/%PID%/DC
I received a blank page where I should have seen the DC record (the other datastreams for this object displayed correctly). I’m running Fedora 2.2.1.
NB. Make sure the enforce-mode parameter in the fedora.fcfg file is set to enforce-policies (<param name="ENFORCE-MODE" value="enforce-policies"/>).
Good luck,
Kevin
Reply all
Reply to author
Forward
0 new messages